I served for 6 years as a National Committeeman and Advisor to the Federal Communications Commission (FCC) under both Democratic and Republican administrations. I also served as both a USDoD and USDoE CSSO Computer Systems Security Officer carrying four security clearances for the protection of highly classified data. My understanding of data privacy laws has been shaped by my experience in government and industry, and knowledge about how privacy laws impact businesses and consumers.
Privacy law in the US stems principally from the Fourth Amendment to the Constitution. The Fourth Amendment, protects people and entities from unreasonable searches and seizures by the government. The Fourth Amendment, however, is not a guarantee against all searches and seizures, but only those that are deemed unreasonable under the applicable laws. That’s a very broad definition. When the Fourth Amendment was ratified in 1791, the Internet and the global trade in consumer data as a commodity did not exist. Then, as now however, the founders and the Constitution acknowledged privacy as a constitutional right.
There is no single, over-arching data protection legislation in the United States currently, though the Constitution broadly empowers the U.S. Federal Trade Commission (FTC) to bring enforcement actions to protect consumers against unfair or deceptive practices and to enforce federal privacy and data protection regulations.
The Privacy Act of 1974, as amended to present (5 U.S.C. 552a), protects records about individuals retrieved by personal identifiers such as a name, social security number, or other identifying numbers or symbols. But in many regards, the 1974 Privacy Act does not clearly establish legal parameters for data privacy, nor does it codify enforcement mechanisms for illegal sale or theft of digital information about consumers. In a world increasingly driven by data systems and e-commerce, fraud and identity theft stemming from acquisition of consumer data (whether obtained legally or illegally) is a glaring problem. This creates complex dynamics where digital ecosystems and automation have erased national and legal jurisdictions. Personal privacy has been a casualty of this digital transformation, and American laws have not kept up.
As we all know, or have personally experienced, privacy laws are meaningless without enforcement.
Modern Privacy Legislation: California, Virginia, Washington
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them; and CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions)
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
The Washington Privacy Act (WPA) is similar to CCPA. The 2021 WPA is divided into four parts. Part 1 concerns the processing of personal data by the private sector. Parts 2 and 3, which are new to the WPA, concern the processing of personal data for public health emergencies, including contact tracing. Those parts were written in response to the COVID-19 pandemic. Part 4 contains miscellaneous provisions, such as effective dates. As of this writing, the WPA has not yet been signed into law, though it is widely expected to be some time soon.
Recently, Virginia became the second state to pass a comprehensive data privacy regulation. Governor Ralph Northam signed the Virginia Consumer Data Protection Act (“VCDPA”) into law on March 2, 2021. The VCDPA will grant Virginia residents the rights to access, correct, delete, know, and opt-out of the sale and processing of personal information for targeted advertising purposes. This is similar to the CCPA and CPRA, however, the VCDPA departs from its California counterparts and aligns with the European Union’s General Data Protection Regulation (“GDPR”) in a few key areas. They include the adoption of data protection assessment requirements, and “controller” and “processor” terminology.
Other states may soon follow California, Virginia, and Washington. The result is that the landscape of data privacy regulations is changing rapidly, and while the drive is being led by state legislatures, there may be federal regulations on the horizon. This creates a lot of challenges for businesses that have to comply not with one set of compliance standards – but with a distinct set of compliance standards in each state with data privacy regulations.
How data privacy regulations will shape industry going forward?
How well modern data systems work is a matter of opinion – if your bank account is hacked or hospital medical record are stolen, we can call that a breach or a major hack or data theft. When I say matter of opinion – the attackers are quite satisfied with our hit or miss protection systems and laws. Even the experts get blind-sided by sophisticated hackers, and then we hear about 8 million medical records stolen, insurance data breaches or bank errors and system failures.
In my experience with defense encryption systems, we tried to stay a step or two in front of the bad guys. But this doesn’t always work. In the cat-and-mouse game of cybersecurity and hackers, sometimes the mouse gets the cheese. In those cases, it’s very important that we establish legal liabilities and enforcement mechanisms so that victims have recourse. Privacy regulations can serve as a deterrent, but also as a way of defining the cost of non-compliance. The potential liability in penalties and litigation for failing to comply with these new laws cannot be overstated. Businesses will suffer direct losses for insufficiently protecting consumer information. Once businesses realize that CCPA and similar laws can directly impact their bottom line, they will get serious about compliance in a hurry. Protecting consumer information will be considered a necessary cost of doing business with data.
Those who seek illegal access to personal and professional records will continue to hack and access privacy information. But for the first time, hackers and businesses alike can now calculate the financial cost of stealing consumer data in California and Virginia. Those costs give teeth to the new data privacy laws.
Most Americans Have Personal Experience with Data Theft
My own personal experience with data theft includes an incident in 2007. $60,000 was taken by a NYC based credit card fraud scheme that was traced back to Russians working with a conspirator at Bank of America. For recourse, I turned to the FBI, an agency I have worked with in the past. It took over three months to recover the stolen funds.
Not everyone is so lucky. We only need to read online accounts, news reports, and industry records to understand the magnitude of the financial losses sustained by everyday Americans who have done other more than register online accounts with various e-commerce platforms or a bank account. This has eroded consumer confidence in financial and law enforcement institutions.
The task ahead is for the public and private sector to come together to protect free markets and consumer culture in the Information Age. Privacy laws, led by CCPA, are charting a new course and will have a major impact on the future of data-driven commerce.